Thursday, December 5, 2024

Posted by on

URL File NTLM Hash Disclosure Vulnerability (0day) - and Free Micropatches for it

 

Our researchers discovered a vulnerability on all Windows Workstation and Server versions from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2022. The vulnerability allows an attacker to obtain user's NTLM credentials by simply having the user view a malicious file in Windows Explorer - e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page.

We reported this issue to Microsoft, and - as usual - issued micropatches for it that will remain free until Microsoft has provided an official fix.

We are withholding details on this vulnerability until Microsoft's fix becomes available to minimize the risk of malicious exploitation. 

This is the third 0day we have recently found and reported to Microsoft, after the Windows Theme file issue (still a 0day without an official patch) and the Mark of the Web issue on Server 2012 (also still a 0day without an official patch).

In addition, the "EventLogCrasher" vulnerability, allowing an attacker to disable all Windows event logging on all domain computers (reported to Microsoft in January this year by security researcher Florian), is still waiting for an official patch so our patches for it are the only ones available.

There are also currently three NTLM-related publicly known "wont fix" vulnerabilities that Microsoft decided not to patch with 0patch patches available: PetitPotam, PrinterBug/SpoolSample and DFSCoerce. All of these are present on all latest fully updated Windows versions, and if your organization is using NTLM for any reason, it could be affected.

Currently, 40% of our users are using 0patch for protection against 0day and "wont fix" vulnerabilities, while others use 0patch for keeping their legacy Windows systems and Office versions secure with our security patches.


Micropatch Availability

Since this is a "0day" vulnerability with no official vendor fix available, we are providing our micropatches for free until such fix becomes available.

Micropatches were written for:

 Legacy Windows versions:

  1. Windows 11 v21H2 - fully updated
  2. Windows 10 v21H2 - fully updated
  3. Windows 10 v21H1 - fully updated
  4. Windows 10 v20H2 - fully updated
  5. Windows 10 v2004 - fully updated
  6. Windows 10 v1909 - fully updated
  7. Windows 10 v1809 - fully updated
  8. Windows 10 v1803 - fully updated
  9. Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
  10. Windows Server 2012 - fully updated with no ESU or ESU 1
  11. Windows Server 2012 R2 - fully updated with no ESU or ESU 1
  12. Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4

 Windows versions still receiving Windows Updates:

  1. Windows 11 v24H2 - fully updated   
  2. Windows 11 v23H2 - fully updated
  3. Windows 11 v22H2 - fully updated
  4. Windows 10 v22H2 - fully updated
  5. Windows Server 2022 - fully updated
  6. Windows Server 2019 - fully updated 
  7. Windows Server 2016 - fully updated 
  8. Windows Server 2012 fully updated with ESU 2
  9. Windows Server 2012 R2 fully updated with ESU 2

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

 

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.



12 comments:

  1. AnonymousDecember 5, 2024 at 3:17 PM

    What about Windows Server 2025?

    ReplyDelete
    Replies
    1. Mitja KolsekDecember 5, 2024 at 3:26 PM

      Windows Server 2025 has only been released this November and is still undergoing compatibility testing. We'll start issuing 0day patches for it when testing is completed (and results satisfactory).

      Delete
  2. AnonymousDecember 6, 2024 at 4:37 AM

    Does this vulnerability also affects NTLMv2?

    ReplyDelete
  3. AnonymousDecember 6, 2024 at 5:45 AM

    Is this an attack that's likely to happen? While the NTLM exploit looks indeed very dangerous, it's still to be determined if it's also able to bypass common threat protections 🤔

    ReplyDelete
    Replies
    1. Mitja KolsekDecember 6, 2024 at 6:36 AM

      Indeed, the attack may be blocked for various reasons, and by no means is every environment or computer at risk. However, a very similar vulnerability (CVE-2024-43451) was found to be used in an actual attack, so attackers clearly find these types of issues useful: https://www.clearskysec.com/wp-content/uploads/2024/11/Zero-day-cve-2024-4351-report.pdf

      Delete
  4. AnonymousDecember 6, 2024 at 8:11 AM

    It is not clear to me from the article whether the 'vulnerability' allows NT Hash or Net-NTLMv1/2 to be stolen:
    "an attacker could obtain a user's NTLM credentials simply by having the user view a malicious file in Windows Explorer".

    ReplyDelete
    Replies
    1. Mitja KolsekDecember 6, 2024 at 4:20 PM

      These hashes, used for network authentication, are correctly called Net-NTLM hashes. Even Microsoft calls them NTLM hashes in their advisories though, e.g., https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-38030, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35636, https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-21320.

      Delete
  5. AnonymousDecember 6, 2024 at 9:31 AM

    I am not seeing any proven POC/ exploit publicly available, any leads on what threat actors are exploiting this in the wild, if any?

    ReplyDelete
    Replies
    1. Mitja KolsekDecember 6, 2024 at 4:20 PM

      We're not aware of threat actors exploiting this issue.

      Delete
  6. AnonymousDecember 6, 2024 at 11:56 AM

    Hello,

    How do I get the micropatch for my organization as a K-12 Educational institution? I've created an account and it says I can patch up to 10 devices. Do I need to purchase the Pro/Enterprise version?

    Thank you.

    ReplyDelete
    Replies
    1. Mitja KolsekDecember 6, 2024 at 4:23 PM

      As a not-for-profit educational institution, you can use 0patch FREE to use this patch. You have to install 0patch Agent on your Windows computers and register it to your 0patch account. No need to purchase PRO or Enterprise.

      Delete

Subscribe to: Post Comments (Atom)